Appendix 3 Sanitization Methods

Clear Methodology

One method to sanitize media is to use approved software or hardware products to overwrite user-addressable storage space on the media with non-sensitive data using the standard read and write commands for the device. This process may include overwriting not only the logical storage location of a file(s) (e.g., file allocation table) but also should include all user- addressable locations. The security goal of the overwriting process is to replace moderate/high information with non-sensitive information. Overwriting cannot be used for media that are

damaged or not rewriteable, and may not address all areas of the device where sensitive data may be retained. The media type and size may also influence whether overwriting is a suitable sanitization method. For example, flash memory-based storage devices may not support directly addressing all areas where sensitive data has been stored using the native read and write interface.

The clear operation may be different for media other than dedicated storage devices, where the device only provides the ability to return the device to factory state. Where rewriting is not supported, manufacturer resets and procedures that do not include rewriting might be the only option to clear the device and associated media.

Purge Methodology

Purging is a more intrusive type sanitization including overwrite, block erase, and Cryptographic Erase. Purging, in cases where the media is operable, can also include destructive including incineration, shredding, disintegrating, degaussing, and pulverizing. The common benefit across all these approaches is assurance that the data is infeasible to recover. However, please note that bending and cutting may only damage the media as portions of the media may remain undamaged and therefore accessible using advanced recovery techniques.

Degaussing renders a storage device inaccessible when the strength of the degausser is sufficient. Degaussing should never be solely relied upon for flash memory-based storage devices or for magnetic storage devices that also contain non-volatile non-magnetic storage. Degaussing renders many types of devices unusable.

Destroy Methodology

There are many different types, techniques, and procedures for media destruction. While some techniques may render the moderate/high information infeasible to retrieve through the device interface and unable to be used for subsequent storage of data, the device is not considered destroyed unless information retrieval is infeasible.

  • Disintegrate, Pulverize, Melt, and Incinerate. These sanitization methods are designed to completely destroy the media. They are typically carried out at an outsourced facility with the specific capabilities to perform these activities effectively, securely, and safely.
  • Shred. Paper shredders can be used to destroy flexible media such as diskettes once the media are physically removed from their outer containers. The shred size should be small enough that there is reasonable assurance in proportion to the data confidentiality that the data cannot be reconstructed. To make reconstructing the data even more difficult, the shredded material can be mixed with non-sensitive material of the same type (e.g., shredded paper or shredded flexible media).

The application of destructive techniques may be the only option when the media fails and other clear or purge techniques cannot be effectively applied to the media, or when the verification of clear or purge methods fails.